中国龙历 4.10 简单算法分析
文章标题:中国龙历 4.10破解分析破解作者:风球
破解工具:PEID,OD
下载地址:http://www.onlinedown.net/soft/44341.htm
软件简介:本软件涉及到您工作和生活中多方面的内容需求,拥有从时间日历、电脑系统、游戏娱乐、工作管理到网络操作等十几种相关功能,能给您的工作和生活带来秘书级服务。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
很久没玩过破解了,今天就拿了几个简单的软件来练练手吧```哈```恐怕以后都会很少时间来上网了
PEID查壳为PECompact 2.x -> Jeremy Collake,手动脱壳,OD载入来到
00401000 >B8 F8AE5D00 mov eax,CNlongly.005DAEF8
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:
0040100D 64:8925 0000000>mov dword ptr fs:,esp ; 单步到这里使用ESP定律
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:,ecx
然后命令行下断 HR ESP ,F9运行中断,清除硬件断点,往下拉来到
005DAFC3 5B pop ebx
005DAFC4 5D pop ebp
005DAFC5 FFE0 jmp eax ; 运行到所选,再单步来到,原来是双层壳
005D1001 60 pushad
005D1002 E8 03000000 call CNlongly.005D100A ; 单步来到这里到使用ESP定律即可来到OEP
005D1007- E9 EB045D45 jmp 45BA14F7
005D100C 55 push ebp
005D100D C3 retn
来到OEP知道原来是个VB程序,直接脱壳。。。
00409F58 68 90C14000 push CNlongly.0040C190 ; ASCII "VB5!6&vb6chs.dll"
00409F5D E8 EEFFFFFF call CNlongly.00409F50 ; jmp to msvbvm60.ThunRTMain
至此脱壳完成,下面进行算法分析部分。。。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
004EEF41 55 push ebp
004EEF42 8BEC mov ebp,esp
004EEF44 83EC 18 sub esp,18
004EEF47 68 769A4000 push <jmp.&msvbvm60.__vbaExceptHandler>
'''删去部分无关非重要代码'''
004EEFA9 C745 FC 0300000>mov dword ptr ss:,3
004EEFB0 C745 88 0400000>mov dword ptr ss:,4
004EEFB7 C745 80 0200000>mov dword ptr ss:,2
004EEFBE 8B45 08 mov eax,dword ptr ss:
004EEFC1 83C0 34 add eax,34
004EEFC4 8985 A8FEFFFF mov dword ptr ss:,eax
004EEFCA C785 A0FEFFFF 0>mov dword ptr ss:,4008
004EEFD4 8D45 80 lea eax,dword ptr ss:
004EEFD7 50 push eax
004EEFD8 6A 09 push 9
004EEFDA 8D85 A0FEFFFF lea eax,dword ptr ss:
004EEFE0 50 push eax
004EEFE1 8D85 70FFFFFF lea eax,dword ptr ss:
004EEFE7 50 push eax
004EEFE8 E8 0FACF1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,9,4)
004EEFED 8D85 70FFFFFF lea eax,dword ptr ss:
004EEFF3 50 push eax
004EEFF4 8D45 BC lea eax,dword ptr ss:
004EEFF7 50 push eax
004EEFF8 E8 A7ACF1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EEFFD 50 push eax ; 得到(UNICODE "1572")
004EEFFE E8 0DADF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF003 DD9D 40FEFFFF fstp qword ptr ss: ; st=1572.0000000000000000
004EF009 0FBF05 64B05B00 movsx eax,word ptr ds:
004EF010 8985 1CFEFFFF mov dword ptr ss:,eax
004EF016 83BD 1CFEFFFF 0>cmp dword ptr ss:,0D
004EF01D 73 09 jnb short 5.004EF028
004EF01F 83A5 CCFDFFFF 0>and dword ptr ss:,0
004EF026 EB 0B jmp short 5.004EF033
004EF028 E8 59ACF1FF call <jmp.&msvbvm60.__vbaGenerateBoundsError>
004EF02D 8985 CCFDFFFF mov dword ptr ss:,eax
004EF033 8B85 1CFEFFFF mov eax,dword ptr ss:
004EF039 8B0D 78B05B00 mov ecx,dword ptr ds:
004EF03F 0FBF0441 movsx eax,word ptr ds:
004EF043 8985 C8FDFFFF mov dword ptr ss:,eax
004EF049 DB85 C8FDFFFF fild dword ptr ss: ; 固定数值s:=000000A5 (十进制 165.)
004EF04F DD9D C0FDFFFF fstp qword ptr ss: ; st=165.00000000000000000
004EF055 DD85 40FEFFFF fld qword ptr ss:
004EF05B DC8D C0FDFFFF fmul qword ptr ss: ; 相乘1572*165
004EF061 DFE0 fstsw ax
004EF063 A8 0D test al,0D
004EF065 0F85 522F0000 jnz 5.004F1FBD
004EF06B 51 push ecx
004EF06C 51 push ecx
004EF06D DD1C24 fstp qword ptr ss: ; 结果st=259380.00000000000000
004EF070 E8 1DACF1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF075 8985 68FFFFFF mov dword ptr ss:,eax ; (UNICODE "259380")
004EF07B C785 60FFFFFF 0>mov dword ptr ss:,8
004EF085 6A 04 push 4
004EF087 8D85 60FFFFFF lea eax,dword ptr ss:
004EF08D 50 push eax
004EF08E 8D85 50FFFFFF lea eax,dword ptr ss:
004EF094 50 push eax
004EF095 E8 A4ABF1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF09A 8D85 50FFFFFF lea eax,dword ptr ss:
004EF0A0 50 push eax
004EF0A1 E8 3EABF1FF call <jmp.&msvbvm60.__vbaStrVarMove>
004EF0A6 8BD0 mov edx,eax ; 得到第一段注册码(UNICODE "9380")
'''删去部分无关非重要代码'''
004EF0DB C745 FC 0400000>mov dword ptr ss:,4
004EF0E2 C745 88 0400000>mov dword ptr ss:,4
004EF0E9 C745 80 0200000>mov dword ptr ss:,2
004EF0F0 8B45 08 mov eax,dword ptr ss:
004EF0F3 83C0 34 add eax,34
004EF0F6 8985 A8FEFFFF mov dword ptr ss:,eax
004EF0FC C785 A0FEFFFF 0>mov dword ptr ss:,4008
004EF106 8D45 80 lea eax,dword ptr ss:
004EF109 50 push eax
004EF10A 6A 05 push 5
004EF10C 8D85 A0FEFFFF lea eax,dword ptr ss:
004EF112 50 push eax
004EF113 8D85 70FFFFFF lea eax,dword ptr ss:
004EF119 50 push eax
004EF11A E8 DDAAF1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,5,4)
004EF11F 8D85 70FFFFFF lea eax,dword ptr ss:
004EF125 50 push eax
004EF126 8D45 BC lea eax,dword ptr ss:
004EF129 50 push eax
004EF12A E8 75ABF1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF12F 50 push eax ; 得到(UNICODE "9809")
004EF130 E8 DBABF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF135 DD9D 40FEFFFF fstp qword ptr ss: ; st=9809.0000000000000000
'''删去部分无关非重要代码'''
004EF142 8B00 mov eax,dword ptr ds:
004EF24B E8 C0AAF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF250 DD9D 28FEFFFF fstp qword ptr ss:
004EF256 DD85 40FEFFFF fld qword ptr ss: ; ss:=9809.000000000000
004EF25C DC0D C03A4000 fmul qword ptr ds: ; 固定数值ds:=772.0000000000000
004EF262 DFE0 fstsw ax ; 上面相乘9809*772
004EF264 A8 0D test al,0D
004EF266 0F85 512D0000 jnz 5.004F1FBD
004EF26C 51 push ecx
004EF26D 51 push ecx
004EF26E DD1C24 fstp qword ptr ss: ; 结果st=7572548.0000000000000
004EF271 E8 1CAAF1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF276 8985 68FFFFFF mov dword ptr ss:,eax ; (UNICODE "7572548")
004EF27C C785 60FFFFFF 0>mov dword ptr ss:,8
004EF286 6A 04 push 4
004EF288 8D85 60FFFFFF lea eax,dword ptr ss:
004EF28E 50 push eax
004EF28F 8D85 50FFFFFF lea eax,dword ptr ss:
004EF295 50 push eax
004EF296 E8 A3A9F1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF29B 8D85 50FFFFFF lea eax,dword ptr ss:
004EF2A1 50 push eax
004EF2A2 8D45 B8 lea eax,dword ptr ss:
004EF2A5 50 push eax
004EF2A6 E8 F9A9F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF2AB 50 push eax ; 得到第二段注册码(UNICODE "2548")
004EF2AC E8 5FAAF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
'''删去部分无关非重要代码'''
004EF391 C745 FC 0500000>mov dword ptr ss:,5
004EF398 C745 88 0400000>mov dword ptr ss:,4
004EF39F C745 80 0200000>mov dword ptr ss:,2
004EF3A6 8B45 08 mov eax,dword ptr ss:
004EF3A9 83C0 34 add eax,34
004EF3AC 8985 A8FEFFFF mov dword ptr ss:,eax
004EF3B2 C785 A0FEFFFF 0>mov dword ptr ss:,4008
004EF3BC 8D45 80 lea eax,dword ptr ss:
004EF3BF 50 push eax
004EF3C0 6A 01 push 1
004EF3C2 8D85 A0FEFFFF lea eax,dword ptr ss:
004EF3C8 50 push eax
004EF3C9 8D85 70FFFFFF lea eax,dword ptr ss:
004EF3CF 50 push eax
004EF3D0 E8 27A8F1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,1,4)
004EF3D5 8D85 70FFFFFF lea eax,dword ptr ss:
004EF3DB 50 push eax
004EF3DC 8D45 BC lea eax,dword ptr ss:
004EF3DF 50 push eax
004EF3E0 E8 BFA8F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF3E5 50 push eax ; 得到(UNICODE "6802")
'''删去部分无关非重要代码'''
004EF56C E8 9FA7F1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF571 DD9D 20FEFFFF fstp qword ptr ss:
004EF577 DD85 40FEFFFF fld qword ptr ss: ; 堆栈 ss:=6802.000000000000
004EF57D DC0D B03A4000 fmul qword ptr ds: ; 相乘,乘以固定数值369
004EF583 DFE0 fstsw ax
004EF585 A8 0D test al,0D
004EF587 0F85 302A0000 jnz 5.004F1FBD
004EF58D 51 push ecx
004EF58E 51 push ecx
004EF58F DD1C24 fstp qword ptr ss: ; 结果st=2509938.0000000000000
004EF592 E8 FBA6F1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF597 8985 68FFFFFF mov dword ptr ss:,eax ; (UNICODE "2509938")
004EF59D C785 60FFFFFF 0>mov dword ptr ss:,8
004EF5A7 6A 04 push 4
004EF5A9 8D85 60FFFFFF lea eax,dword ptr ss:
004EF5AF 50 push eax
004EF5B0 8D85 50FFFFFF lea eax,dword ptr ss:
004EF5B6 50 push eax
004EF5B7 E8 82A6F1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF5BC 8D85 50FFFFFF lea eax,dword ptr ss:
004EF5C2 50 push eax
004EF5C3 8D45 B8 lea eax,dword ptr ss:
004EF5C6 50 push eax
004EF5C7 E8 D8A6F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF5CC 50 push eax ; 得到第三段注册码(UNICODE "9938")
'''删去部分无关非重要代码'''
'''下面是三段注册码的比较,真假码的比较'''
004EF934 FF75 BC push dword ptr ss: ; (UNICODE "1111")
004EF937 FF75 C8 push dword ptr ss: ; (UNICODE "9380")
004EF93A E8 A7A3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
004EF93F 8BF0 mov esi,eax
004EF941 F7DE neg esi
004EF943 1BF6 sbb esi,esi
004EF945 46 inc esi
004EF946 F7DE neg esi
004EF948 FF75 B8 push dword ptr ss: ; (UNICODE "2222")
004EF94B FF75 C4 push dword ptr ss: ; (UNICODE "2548")
004EF94E E8 93A3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
004EF953 F7D8 neg eax
004EF955 1BC0 sbb eax,eax
004EF957 40 inc eax
004EF958 F7D8 neg eax
004EF95A 66:23F0 and si,ax
004EF95D FF75 B4 push dword ptr ss: ; (UNICODE "3333")
004EF960 FF75 C0 push dword ptr ss: ; (UNICODE "9938")
004EF963 E8 7EA3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
'''删去部分无关非重要代码'''
004EF9A9 E8 32A3F1FF call <jmp.&msvbvm60.__vbaFreeObjList>
004EF9AE 83C4 1C add esp,1C
004EF9B1 0FBF85 ECFDFFFF movsx eax,word ptr ss:
004EF9B8 85C0 test eax,eax
004EF9BA 0F84 D6200000 je 5.004F1A96 ; 跳则OVER,NOP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
破解总结:明码比较,算法简单,乘法的运算。下面是VB的算法注册机源码:
Private Sub Command1_Click()
temp = Right(Text1.Text, 12) 'Text1.Text为申请码,Text2.Text为序列号
sn1 = Val(Mid(temp, 9, 4)) * 165
sn2 = Val(Mid(temp, 5, 4)) * 772
sn3 = Val(Mid(temp, 1, 4)) * 369
Text2.Text = Right(sn1, 4) & "-" & Right(sn2, 4) & "-" & Right(sn3, 4)
End Sub
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 再放一个简单的软件给大家吧,有兴趣的可以去玩一下
=====================================
MP3超强铃声转换器 3.20
软件下载:http://www.onlinedown.net/soft/46970.htm
软件大小:1894KB
=====================================
标准MD5的简单应用,算法很简单,根据MD5(前六位)的值进行一系列运算来得到第8位以后的字符串
破解过程我就不写了,没时间```哈```
提供两组可用注册码
888888-c235
123654-ee3b
=====================================
下面是算法注册机 引用一楼的:
算法注册还是用自动注册的吧~
因为当注册码为
3333-333-33
的时候是注册不了的~~
我发过一个自动注册的注册机 原帖由 pentacle 于 2006-2-22 13:54 发表
引用一楼的:
算法注册还是用自动注册的吧~
因为当注册码为
3333-333-33
的时候是注册不了的~~
我发过一个自动注册的注册机
你是指MP3超强铃声转换器 3.20?
它的注册码的第七位必须是“ - ” 不错啊,收下了!!! 两位都是高手 那个龙历我弄了两天了 头都痛死了 还是破不了 正找这个破文呢 好好学习一下~
[ 本帖最后由 Nisy 于 2006-9-15 09:52 编辑 ] 原帖由 风球 于 2006-2-22 14:10 发表
你是指MP3超强铃声转换器 3.20?
它的注册码的第七位必须是“ - ”
不是啊
原贴见
https://www.chinapyg.com/viewthread.php?tid=3442&extra=page%3D3 晕。我看了一下。
你的算法注册机有问题
当申请码为:06089627555170
注册码应为:3050-6860-624
而你的却是:3050-6860-0624 ==>这个注册码是通不过的 算法你再分析一下吧。
应该是有一个数值转文本的过程 学习一下。